ASIC seeks feedback for important updates to the ePayments Code and mandate its effect

Introduction

ASIC has recently published a consultation paper seeking comments from stakeholders on a number of long-awaited updates to the ePayments Code (the Code), which has not been updated since 2010.

The proposed updates are largely aimed at bringing the Code up to speed with recent developments in the electronic payments environment. The Code is still voluntary, however ASIC has proposed that the Code will eventually be made mandatory through legislative mechanisms. If it becomes mandatory, this will have far-reaching impacts on the market, particularly for businesses which are not currently Code subscribers.

What is the ePayments Code?

The Code is a voluntary code of practice that regulates electronic payments in Australia by setting standards on how to comply with, and exceed, various aspects of the law. These include, for example, ATM, EFTPOS and card transactions, online payments and internet and mobile banking.

The Code has a broad subscription base, including most banks, credit unions and building societies operating in Australia, as well as other electronic payment services providers. Notable subscribers include the big four Australian banks, American Express and PayPal.

The Code’s centrepiece is a range of important protections that complement, and often enhance, the consumer and investor protections that ASIC administers (eg, the ASIC Act, Corporations Act and National Credit Code). Examples of the protections set out in the Code include:

• Requirements for disclosure to customers regarding product terms and conditions, and certain fees.
• Providing that customers are not liable for unauthorised transactions involving their accounts, provided they have taken reasonable precautions to protect such accounts.
• Procedures for banks to follow when assisting consumers who are looking to recover their money if they have inadvertently transferred funds to the wrong recipient.
• Complaints-handling procedures for situations where a customer is dissatisfied with a subscriber’s conduct.

The Code operates by imposing requirements as part of a subscribing financial institution’s terms and conditions with its customers. In this way, the requirements of the Code are incorporated into, and form part of, the contract between that financial institution and the relevant customer.

ASIC’s current review

On the basis that there have been significant developments in the electronic payments environment since the last time the Code was reviewed, the purpose of ASIC’s review of the Code is to ensure that:

1. the Code’s policy settings are appropriately positioned for current and (if possible) future customers and electronic payments service providers; and
2. the Code is simple to apply and easy to understand for all stakeholders, including both customers and electronic payments service providers.

We set out in this article some of the proposed changes and their potential impact.

Proposed changes

Mandatory legislative effect

In 2014, the Government accepted recommendations to move away from the current voluntary subscription scheme and mandate compliance with the Code. The recommendation was made as part of the findings from the Financial System Inquiry, where the Government examined how the financial system could be positioned to best meet Australia’s evolving needs and support Australia’s economic growth. Since then, the Council of Financial Regulators in 2019 recommended that ASIC be empowered to enforce mandatory compliance with the Code, such as through a legislative rule-making power.

As such, until the Code is eventually mandated through legislative machinery, the current voluntary scheme is considered an interim measure. The Australian Government and other relevant bodies will in parallel consider policy issues arising from the Code.

Areas to be updated

The proposed updates to the Code mainly relate to the following areas:

1. Compliance monitoring and data collection: ASIC proposes to remove the requirement for subscribers to report annually in respect of unauthorised transactions. In lieu, ASIC proposes to retain and enhance its power that allows it to undertake ad hoc targeted monitoring and surveying compliance with Code obligations and other matters relevant to subscribers’ activities relating to electronic payments.
   
   Our take: Although this may lead to less red tape on an annual basis, the spectre of ASIC’s ad hoc compliance monitoring powers means that subscribers will still be required to continue collecting relevant information (which includes unauthorised transactions), whether or not they are actually required to report it on an ad hoc basis. Accordingly, we do not see significant benefit for subscribers from this change.
2. Clarifying and enhancing the mistaken internet payments (MIP) framework: ASIC proposes (amongst other things) to extend the MIP framework to allow customers to retrieve partial funds if the full amount is not available in the unintended recipient’s account. ASIC would also include a non-exhaustive list of examples (in the Code itself) where the receiving ADI would meet the requirement to make reasonable endeavours to retrieve a customer’s MIP.
   
   Our take: These changes are overwhelmingly a step in the right direction and provide much needed clarity in this area of the Code. For example, there was previously little guidance on what constituted reasonable endeavours to retrieve a customer’s MIP. The proposed non-exhaustive list serves as a useful benchmark for receiving ADIs as to what options they may need to consider on a case-by-case basis. Subscribers should also consider and build this guidance into their relevant policies and procedures.
3. Extending the Code to small business: ASIC proposes to extend the Code’s protection to small businesses (or group of related bodies corporate) employing fewer than 100 people. Subscribers may, however, elect through an opt-out mechanism in the Code, not to extend the protections to these small business.
   
   Our take: This change balances the need for the Code to apply to smaller players, whilst also providing a clean and easy opt-out mechanism. We do, however, recommend that subscribers weigh their desire to afford their customers the protections offered under the Code against the burdens that are imposed by the Code.
4. Clarifying the unauthorised transactions provisions: ASIC proposes clarifying that:
   1. the unauthorised transactions provisions of the Code apply only where a third party has conducted a transaction without the customer’s consent;
   2. a breach of passcode security requirements is not, of itself, sufficient to find a customer liable for a transaction, and instead, the customer must have contributed to the loss; and
   3. charge-back processes available through card schemes represent separate protection regimes to the protections available under the Code.
   
   Our take: Again, this heralds much needed clarity for stakeholders and will form a key element of the proposed mandatory scheme when it comes into effect in the coming years.
5. Complaints handling: ASIC proposes a single complaints handling framework where all subscribers must have internal dispute resolution procedures that are set out in Regulatory Guide 271 and be members of the Australian Financial Complaints Authority.
   
   Our take: This simplifies and standardises the complaints handling process, which is generally beneficial for customers. However, it creates a rigid regime and strips subscribers of options to implement their own complaints handling system. Indeed, there is a raft of reasons why a subscriber may wish to institute its own complaints handling system. For example, subscribers may wish to implement complaints handling procedures that work with their existing systems or international procedures. For global service providers, this loss of flexibility may ultimately amount to a cost of doing business in Australia.

Overall, the proposed amendments are encouraging, but there is room for further improvement. In any event, electronic payment service providers should now be on notice as to the requirements of the Code and the proposed amendments as they are likely to be imposed across the industry.

Next steps

Submissions are due by Friday, 2 July 2021.

ASIC will then will consider stakeholder feedback and publish a report outlining the submissions and ASIC’s final positions on issues raised. ASIC will also issue a draft updated Code for comments on the technical wording and format.

ASIC has stated that it hopes to release the updated Code by late 2021. Once finalised, current subscribers to the Code will be required to reapply for the updated version of the Code through ASIC.

If you would like any assistance with entering a submission in response to the consultation paper, or otherwise navigating or subscribing to the Code, please get in touch with our team.